Cybersecurity Myths – the perimeter is the protection
In the past few months, I have been sharing my views about cybersecurity myths – some of them held by the public, and some myths are still held (and propagated) by cybersecurity professionals and companies. One that may have been true at one time, but is no longer the case, is that your protection is dependent on just the perimeter. This is similar to the myth that security is the responsibility of the IT department.
High walls, strong perimeters
When the Chinese decided to live in peace, they built the great Wall of China. They thought that no one could climb it because of its height… However, in the 100 years after its construction, the Chinese were invaded 3 times. Enemy infantry soldiers never had the need to climb or penetrate the wall – because they simply bribed the guards and got in through the gates. The Chinese had built high and thick walls; yet they didn’t build the characters of the wall guards.
No matter the strength of your external protection, it can be bypassed by the frailty of humans. Like the Trojan Horse, to bypass defences, it just takes a single person to open the door and let the attackers in.
Investment in perimeters
In Cybersecurity, we invest in hardware like firewalls and in software like anti-malware, but these are all rendered useless if we don’t also invest in governance, education, and training. A single invalid setting on the hardware or software can disable the protections, and a single user with a bad password can let hackers in.
The trucking company KNP was completely destroyed by a single user’s easy to guess password that enabled ransomware to get in to the company. The 158 year-old company had industry standard protections, proper backups and disaster recovery systems – but through a guessed password (and no MFA), the hackers were able to delete all backups and encrypt the company’s data.
Third Party risk
As a human society, we inherently trust people. Well, mostly. The example of Target’s hack in 2013 shows a key example of a trusted partner being the vector for the weakness. The perimeter protection was not enough to protect Target, as the HVAC provider was within the circle of trust.
